ELB Security Groups and Monitoring
Learn about the different security groups and how monitoring works for ELBs.
We'll cover the following
ELB security groups#
Security groups control the ports and protocols that can reach the front-end listener.
In non-default VPCs, you can choose which security group to assign. You must assign a security group for the ports and protocols on the front-end listener. You need to also allow the ports and protocols for the health check ports and backend listeners.
Security group configuration for ELB#
Inbound to ELB (allow)
- Internet-facing ELB:
- Source: 0.0.0.0/0
- Protocol: TCP
- Port: ELB listener ports
Internal-only ELB:
- Source: VPC CIDR
- Protocol: TCP
- Port: ELB Listener ports
Outbound (allow, either type of ELB):
- Destination: EC2 registered instances security group
- Protocol: TCP
- Port: Health Check/Listener
Security group configuration for registered instances:
Inbound to registered instances (allow, either type of ELB)
- Source: ELB Security Group
- Protocol: TCP
- Port: Health Check/Listener
Outbound (allow, for both types of ELB):
- Destination: ELB Security Group
- Protocol: TCP
- Port: Ephemeral
It is also important to ensure that NACL settings are set correctly.
Distributed Denial of Service (DDoS) protection
- ELB automatically distributes incoming application traffic across multiple targets such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, and multiple Availability Zones, which minimizes the risk of overloading a single resource.
- ELB, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances.
- ELB also offers a single point of management and can serve as a line of defense between the internet and your backend, private EC2 instances.
ELB monitoring#
Monitoring takes place using the following:
- CloudWatch — every 1 minute
- ELB service only sends information when requests are active.
- It can be used to trigger SNS notifications.
- Access Logs
- Disabled by default
- Includes information about the clients (not included in CloudWatch metrics)
- Can identify requester, IP, request type, etc.
- Can be optionally stored and retained in S3
- CloudTrail
- Can be used to capture API calls to the ELB
- Can be stored in an S3 bucket
Limits#
The following table details the default limits for your account on a per-region basis:
| Name | Default Limit |
|---|---|
| Application Load Balancers | 20 |
| Network Load Balancers | 20 |
| Target Groups | 3000 |
| Classic Load Balancers | 20 |
Elastic Load Balancing
Classic Load Balancer (CLB)